What is CSP?
CSP (Configuration Service Provider) is an interface to read, set, modify, or delete configuration settings which are mapped to registry keys or files on the device. These CSPs support SyncML or WAP as the information synchronization standard. There are number of supported CSPs in Windows 10.What is Policy CSP?
This enables the capability of configuring policies on Windows 10. It has following sub categories:- Policy/Config/AreaName – Handles the policy configuration request from the server.
- Policy/Result/AreaName – Provides a read-only path to policies enforced on the device.
./[Device|User/Vendor/MSFT/Policy/[Config|Result]/AreaName/PolicyName
ADMX-backed policy
ADMX policies or the Administrative templates are registry based policies. Once you open local Group Policy editor, you can see available administrative templates scoped under both computer and the user configurations in a hierarchical order.Unlike traditional domain controller/group policy system, MDM-managed client does not require Group Policy Service, since ADMX files are utilized to define policies independent of Group Policies.
The ADMX file, which defines the Group Policies is processed either by at OS-build time or set by the client at OS runtime. The client and the MDM ISV must be coordinated with the ADMX policy definitions in both cases.
By analyzing the associated ADMX file, Windows maps the name and category path of a Group Policy to a MDM policy area and policy name and stores the metadata. When the MDM policy is referenced by a SyncML command and the Policy CSP URI, it refers stored metadata in the MDM Policy CSP client store and determines which registry key/s are added or removed.
Most Group Policies are a simple Boolean type, either Enabled or Disabled, and some are with input fields. So, if there are input fields, MDM server should supply the data.
For an example, if the policy contains just a Boolean value (enabled or disabled), payload of the SyncML command is simply set to <enabled/> or <disabled/>.
If the policy contains input fields (<text> elements and id attribute), there must be a corresponding <data/> element and id attribute in the payload.
Configuration
For this guide, I will configure the default homepage in Internet Explorer using an ADMX-backed policy. The associated group policy name for this is, Disable changing home page settings.
Part – 1 (Configuring Syntax)
1. Open Local Group Policy Editor (gpedit.msc) and navigate to, User Configuration > Administrative Templates > Windows Components > Internet Explorer.
It’s a policy with an input field.
To configure the necessary value of this policy, several other details required from ADMX file in %SystemRoot%\policydefinitions. The associated ADMX file for this is, inetres.admx
2. Open the file in notepad and search for “RestrictHomePage” which is the name of the corresponding Group Policy.
There is the text id element and value which needs to be configured as data id and value in SyncML command.
So, after configuring according to appropriate SyncML syntax, it should be something like this,
<enabled/><data id="EnterHomePagePrompt" value="https://www.google.lk" />
Part – 2 (Configuring Intune Policy)
1. Log into new Intune portal. (https://portal.azure.com)
2. Navigate to, Intune > Device Configuration > Profiles and click Create Profile.
3. On Create profile blade, enter a Name and Description, select Platform as Windows 10 and Profile type as Custom.
4. On Custom OMA-URI Settings blade, click Add. On Add Row blade, enter a Name and Description.
For OMA-URI field enter Policy CSP URI path.
./User/Vendor/MSFT/Policy/Config/InternetExplorer/DisableHomePageChange
Select data type as String and for value area enter the SyncML syntax.
<enabled/><data id="EnterHomePagePrompt" value="https://www.google.lk" />
5. Click OK and finally click Create.
6. Assign the policy to a user group.
Part – 3 (Verifying)
1. Log into an enrolled Windows 10 version 1703 client machine with the policy assigned user account.
2. Open Internet Explorer, Navigate to Settings > Internet Options. Under General > Home Page, the default home page has set to www.google.lk and it cannot be changed. Same as configured from a good old GPO method.
Since ADMX policies are mainly registry punches, new registry key has now added under Computer\HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Main\Start Page
As of now it’s only possible to configure policies defined by Microsoft and this will be supported on Windows 10 version 1703 onwards enrolled as Mobile Devices in Intune.
Further Reading
Configuration service provider referencePolicy CSP
Understanding ADMX-backed policies
Hi, Great article! Maybe you know where to find reference of all supporeted OMA-URI's?
ReplyDeleteHi, Please refer below article.
Deletehttps://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider#policies
Refer to the baseline policy available and apply it on users. OMA-URI is the thing of the past to a large extent.
DeleteI followed this step by step but I don't see my IE updating to this policy. Any ideas?
ReplyDeleteWhat is the Windows 10 version () you are using and edition?
Delete1709 Ent
DeleteHi,
ReplyDeleteA very nice article. Could you please provide information on disabling autoplay on windows 10.
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-autoplay#autoplay-disallowautoplayfornonvolumedevices